package com.juqimiao.outposts.resource.api.Configuration;

import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableOAuth2Client;
import org.springframework.security.oauth2.config.annotation.web.configuration.EnableResourceServer;
import org.springframework.security.oauth2.config.annotation.web.configuration.ResourceServerConfigurerAdapter;
import org.springframework.security.oauth2.config.annotation.web.configurers.ResourceServerSecurityConfigurer;
import org.springframework.security.oauth2.provider.token.RemoteTokenServices;
import org.springframework.security.web.authentication.rememberme.TokenBasedRememberMeServices;
import org.springframework.web.cors.CorsConfiguration;
import org.springframework.web.cors.CorsConfigurationSource;
import org.springframework.web.cors.UrlBasedCorsConfigurationSource;

@Configuration
@EnableResourceServer
public class ResourceServerConfig extends ResourceServerConfigurerAdapter {

    /**
     * 验证Token的方式是通过http://localhost:8080/oauth/check_token远端进行验证。
     * @return RemoteTokenServices对象。
     */
    @Primary
    @Bean
    public RemoteTokenServices tokenServices() {
       // TokenBasedRememberMeServices tokenService = new TokenBasedRememberMeServices();
        final RemoteTokenServices tokenService = new RemoteTokenServices();
        tokenService.setCheckTokenEndpointUrl("http://localhost:8080/oauth/check_token");
        tokenService.setClientId("demoApp2");
        tokenService.setClientSecret("demoAppSecret");
        return tokenService;
    }

    @Override
    public void configure(ResourceServerSecurityConfigurer resources) throws Exception {
        super.configure(resources);
        resources
                .resourceId("outposts-resource-api")
                .stateless(true);
    }

    /**
     * 要正常运行，需要反注释掉这段，具体原因见下面分析
     * 这里设置需要token验证的url
     * 这些需要在WebSecurityConfigurerAdapter中排查掉
     * 否则优先进入WebSecurityConfigurerAdapter,进行的是basic auth或表单认证,而不是token认证
     * @param http Http
     * @throws Exception Exception
     */
    @Override
    public void configure(HttpSecurity http) throws Exception {

        http
                .requestMatchers()
                    .antMatchers("/**")
                .and()
                .authorizeRequests()
                .antMatchers("/employee/msg")
                    .hasAnyAuthority("ROLE_USER:EMPLOYEE:ADDNEW",
                            "ROLE_USER:EMPLOYEE:MODIFY")
                .antMatchers("/employee/**")
                    .denyAll();

    }

    private CorsConfigurationSource coresConfigurationSource(){
        CorsConfigurationSource source =   new UrlBasedCorsConfigurationSource();
        CorsConfiguration corsConfiguration = new CorsConfiguration();
        corsConfiguration.addAllowedOrigin("*");
        corsConfiguration.addAllowedHeader("*");
        corsConfiguration.addAllowedMethod("*");
        ((UrlBasedCorsConfigurationSource) source).registerCorsConfiguration("/**",corsConfiguration);
        return source;
    }
}